← Back to team overview

maria-discuss team mailing list archive

  1. maria-discuss team
  2. Mailing list archive
  3. Message #01396

Re: Doubt - replication and ssh/ssl

  Thread PreviousDate PreviousThread Next 
depends, for the WAN VPN is enough
openVPN supports compression

# Enable compression on the VPN link
# If you enable it here, you must also
# enable it in the client config file
comp-lzo

but keep in mind that the link between MySQL and the VPN
server itself is unencrypted, so if you need end-to-end
encryption for security reasons use both

however, mysql supports compression for replication native

http://dev.mysql.com/doc/refman/5.0/en/replication-options-slave.html
--slave_compressed_protocol={0|1}
Command-Line Format	--slave_compressed_protocol
Option-File Format	slave_compressed_protocol
System Variable Name	slave_compressed_protocol
Variable Scope	Global
Dynamic Variable	Yes
 	Permitted Values
Type	boolean
Default	OFF

If this option is set to 1, use compression for the slave/master protocol if both the slave and the master support
it. The default is 0 (no compression).

Am 19.02.2014 17:16, schrieb Roberto Spadim:
> nice, i will try a vpn, do you think i need ssl+ vpn or just vpn give a good security and good compression? the
> link is very poor (satelite with very high delay ~1 second or more)
> 
> 2014-02-19 11:15 GMT-03:00 Reindl Harald <h.reindl@xxxxxxxxxxxxx <mailto:h.reindl@xxxxxxxxxxxxx>>:
> 
> 
> 
>     Am 19.02.2014 14:10, schrieb Roberto Spadim:
>     > What is better (better = more secure, and with good compression), a ssh tunnel,
>     > or a native mariadb ssl connection between master/slave replication
>     > mariadb servers?
> 
>     both combined - any replication here is using mysql-ssl-encryption, even
>     between VM's on the same host because they may be splitted to different
>     hosts in case of VMotion
> 
>     since i would never ever have listen MariaDB/MySQL the ssh-tunnel is
>     mandatory in any case or better if possible OpenVPN because the
>     encryption and HMAC-authentication of OpenVPN improves security
>     dramatical
> 
>     _____________________________________
> 
>     have fun try to break that tunnel, you need the "ta.key" to even get any
>     package accepted, then ca.crt and client.crt and need to break DHE-AES
> 
>     and since it's easy to setup MySQL replication with SSL *inside* that
>     tunnel it get wrapped - until today nobody on this planet can break
>     that all at once without a rootkit on the involved machines
> 
>     Tue Feb 18 22:10:15 2014 Control Channel Authentication: using '/etc/openvpn/ta.key' as a OpenVPN static key file
>     Tue Feb 18 22:10:15 2014 Diffie-Hellman initialized with 4096 bit key
>     Tue Feb 18 22:10:15 2014 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC
>     authentication
>     Tue Feb 18 22:10:15 2014 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC
>     authentication
>     Tue Feb 18 21:10:27 2014 62.178.103.85:11258 <http://62.178.103.85:11258> Data Channel Encrypt: Cipher
>     'AES-256-CBC' initialized with 256 bit key
>     Tue Feb 18 21:10:27 2014 62.178.103.85:11258 <http://62.178.103.85:11258> Data Channel Encrypt: Using 512 bit
>     message hash 'SHA512' for HMAC
>     authentication
>     Tue Feb 18 21:10:27 2014 62.178.103.85:11258 <http://62.178.103.85:11258> Data Channel Decrypt: Cipher
>     'AES-256-CBC' initialized with 256 bit key
>     Tue Feb 18 21:10:27 2014 62.178.103.85:11258 <http://62.178.103.85:11258> Data Channel Decrypt: Using 512 bit
>     message hash 'SHA512' for HMAC
>     authentication
>     Tue Feb 18 21:10:27 2014 62.178.103.85:11258 <http://62.178.103.85:11258> Control Channel: TLSv1, cipher
>     TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096
>     bit RSA

Attachment: signature.asc
Description: OpenPGP digital signature

Follow ups

References

  Thread PreviousDate PreviousThread Next